Merge pull request #146 from NathanaelGT/prevent-xss-attack

Prevent xss attack

resources/views/assets/scripts.blade.php

@@ -13,6 +13,12 @@ function copyToClipboard(button) {
         document.body.removeChild(el);
     }
 
+    function htmlSpecialChars(string) {
+        const el = document.createElement('div');
+        el.innerText = string;
+        return el.innerHTML;
+    }
+
     function isV2() {
         return window.Alpine && window.Alpine.version && /^2\..+\..+$/.test(window.Alpine.version)
     }

resources/views/components/editable.blade.php

@@ -12,7 +12,7 @@
        field: '{{ $field }}',
        content: '{{ addslashes($row->{$field}) }}'
     }">
-    <div x-text="content"
+    <div x-html="content"
          style="border-bottom: dotted 1px; cursor: pointer"
          x-show="!editable"
          x-on:dblclick="editable = true"
@@ -22,12 +22,12 @@
         <input
             type="text"
             x-on:dblclick="editable = true"
-            x-on:keydown.enter="sendEventInputChanged($event, id, field); editable = false; content = $event.target.value"
+            x-on:keydown.enter="sendEventInputChanged($event, id, field); editable = false; content = htmlSpecialChars($event.target.value)"
             :class="{'cursor-pointer': !editable}"
             class="{{ $theme->inputClass }} p-2"
             x-ref="editable"
             x-text="content"
-            :value="content">
+            :value="$root.firstElementChild.innerText">
     </div>
 </div>
 

src/PowerGridEloquent.php

@@ -32,7 +32,7 @@ public static function eloquent(): PowerGridEloquent
      */
     public function addColumn(string $field, Closure $closure = null): PowerGridEloquent
     {
-        $this->columns[$field] = $closure ?? fn ($model) => $model->{$field};
+        $this->columns[$field] = $closure ?? fn ($model) => e($model->{$field});
 
         return $this;
     }